Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security risks of AJAX from validation?

I want to validate a form without having to reload the entire page. I am using JavaScript at the moment, however this is massively insecure. To get round this, I want to use AJAX and a PHP script to validate the form. Does anyone know of any security risks this might have?

I also assume the AJAX method is far safer than vanilla JS, but I could be wrong?

like image 923
Bojangles Avatar asked Dec 02 '10 10:12

Bojangles


3 Answers

They are exactly the same as the risks of validating with pure client side JavaScript. The only difference is that you are asking the server for some data as part of the process.

The user can override the JavaScript to submit the form no matter what the validation outcome is.

The only reason to use JavaScript at all when checking data for submission is to save the user time. If as part of that you want to do something such as asking the server if a username is taken while the user fills out the rest of the form, then great — that is quite a nice use of Ajax. Otherwise, using Ajax is pretty worthless.

If you want to do client side checking, then put all the logic you can for it on the client and avoid making HTTP requests. If you have things that can only be checked server side (because they are based on data, like the example with usernames that are already taken) then consider using Ajax for that. The client side check is the convenience check. Always do the security check server side and on the final submitted data.

Note that validating data that is actually submitted using Ajax is a different matter — since that is the final submitted data. It is doing Ajax validation as a precursor to the final submission that doesn't add any trust to the data.

like image 187
Quentin Avatar answered Sep 28 '22 06:09

Quentin


All AJAX does is offload part of the process to the server, 'hidden' from the client (in the sense the functional handling of your data/variables is hidden). That said, you should be wary of the information being sent to the server, which can be captured or worse, duped. The difference with pure JS is that your functional handling is there for all to see, and potentially exploit.

Validation shouldnt need to be done server side unless you are validating DB content (i.e. uniqueness of a username etc). If you are simply validating whether something is an email, you can do this in JS, eg with a RegEx.

If you are validating DB data, make sure all DB queries variables which originate from sent (POST/GET) variables are escaped using mysql_real_escape_string to prevent SQL injection

like image 38
SW4 Avatar answered Sep 28 '22 06:09

SW4


You can validate data in AJAX as well as you can do it in pure JavaScript, but you have to re-validate it in your script after it receives the data. Every client-side validation method can be avoided by sending POST request to your form target.

like image 37
Jojo Avatar answered Sep 28 '22 06:09

Jojo